You are right - VMs were not made specifically for that purpose, of
protecting users from exposing real hardware info, and it is a mistake
for users to utilize them for this. Tor Browser does not hide device
information.
Telegram is one of the issues from what you have said, but it is far
more likely that your OPSEC will be the issue, rather than use of any
particular technology.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
NIC - Network Interface Card? Could you, please, give some link explaining how does it work? I tried to find it, but there were no articles related to network card identification.
There is flatpak version. Probably better than vanila version.
Oh, I see. Thatās what you were hinting at all the time. I forgot about number because for users from Russia this point is self-evident. No one (at least no one smart enough) will use his own real number for creating such Telegram account nor use his personal existing account. For this purpose there are many services that sell already created accounts as tdata folders.
I was told and heard many times that itās much better to use Tor Browser than some apps because apps installed in your OS see every hardware info and potentially can transfer it to the owners or someone else. But in contrast Tor Browser shows only some browser info, some of OS info but not hardware. Unless if do not mean screen resolution and some similar stuff. But itās still much lesser than apps that see all hardware info.
You asked about processor model. No, I havenāt found exact confirmation about that yet. Is it conceivable? Maybe? Why? Iāll elaborate.
Note, this isnāt an issue specific to Qubes. It should apply to any operating system.
Tools like p0f can infer the operating system using passive traffic fingerprinting. Sources:
- https://www.csd.uoc.gr/~gvasil/old2009/old/stuff/papers/Passive%20Network%20Traffic%20Analysis.pdf
- Passive OS Fingerprinting
- Passive OS Fingerprinting (TCP/IP Fingerprint)
- https://www.sciencedirect.com/topics/computer-science/passive-fingerprinting
Tethering can also be detected using passive traffic fingerprinting. [1] [2]
But encrypted tunnels such as Tor, bridges, VPN? No, that doesnāt help. This is fingerprinting the TCP/IP stack directly. Even the tunnel itself has to make connections for itself.
But what might help is what most users are using. A router. (Home router / access point.) But then again, they often use the router of their ISP, which might run ISP firmware and might be considered owned by the ISP. Related: The State of Router Insecurity
Why would a secure router help? Because whatās actually getting fingerprinted is the router. Not the end user device (computer or notebook). This is somewhat contradicted by tethering detection, that I mentioned earlier. [1] [2]
But why limit this to passive traffic fingerprinting? Why not active traffic fingerprinting? Automated whole internet IP scans and automated exploitation attempts are being performed all the time. One more active traffic fingerprinting would not be noticed. What is getting actively attacked here is the router. I am not sure the router should be considered trusted or compromised?
Any ISP could also perform active/passive traffic fingerprinting with plausible deniable. Network issues exist.
To think this through further, itās important to know which threat model to consider:
- A) A trustworthy router? Or,
- B) Being connected to a WiFi hotspot?
Iāll explore the harder case, A). Hereās a suggestion on how to phrase this question suitable for AI based search engines.
- Consider a user who is using a router. The router is assumed to be secure in the threat model and is not compromised or hacked.
- The user routes all traffic through an encrypted tunnel, such as Tor or a VPN.
- There are no DNS leaks or other traffic leaks; all network communication strictly passes through the encrypted tunnel.
- For the purpose of this inquiry into device fingerprinting, the encrypted tunnel is assumed to be secure and opaque to outside observers.
- The ISP is considered an adversary attempting to fingerprint devices behind the router.
- The ISP cannot hack or compromise the router.
- The ISP has access to TCP/IP-layer metadata and can employ both active and passive fingerprinting techniques.
What other non-TCP/IP related attacks the ISP can perform?
A variation I would suggest is replacing above last line with the following:
The question is:
- Does the ISP have access only to TCP/IP-layer metadata and can employ both active and passive fingerprinting techniques?
- What other non-TCP/IP related attacks the ISP can perform?
- Can the ISP see or infer the presence of any devices behind the router, given that all traffic is tunneled and the router is secure?
- What specific types of information can the ISP deduce about the devices behind the router (e.g., device count, operating systems, etc.)?
- Can timing analysis reveal what type of Wi-Fi card is in use based on the Wi-Fi chipset specific characteristics, due to timing signatures specific to different hardware?
- Is it possible for the ISP to deduce the CPU type or other hardware characteristics of connected devices?
- Given that ISPs can already detect tethering activity, what other similar device-related traits can they potentially uncover?
The second best paper on the topic I found so far: DeviceRadar: Online IoT Device Fingerprinting in ISPs using Programmable Switches
The best paper on the topic I found so far: Remote Physical Device Fingerprinting
We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted deviceās known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semipassive techniques when the fingerprinted device is behind a NAT or firewall, and also when the deviceās system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.
Theyāre using TCP timestamps, ICMP timestamps, so itās probably good to have these disabled. They didnāt mention TCP ISN, but these being an issue is known. [3]
In summary, Iāve posted the worst offenders I could find. But no, at time of writing, I couldāt find and research papers that claim to have induced CPU type using network fingerprinting.
- [1] OS Fingerprinting and Tethering Detection in Mobile Networks
- [2] https://security.stackexchange.com/questions/232865/how-do-isps-detect-whether-a-phone-uses-tethering
- [3] GitHub - Kicksecure/tirdad: TCP ISN CPU Information Leak Protection. TCP Initial Sequence Numbers Randomization to prevent TCP ISN based CPU Information Leaks.
I am not aware that anyone is constantly monitoring that for all releases?
If this is something you care about, itās best if you contribute by developing, setting up monitoring.
Is it really the best to have no clearnet traffic at all, no network time synchronization, no update traffic, no DNS, no TCP/UDP ever except connection(s) to an encrypted tunnel? That raises less flags? How many people in that area are capable of setting that up?
1 Like
Some of the users from these countries may be using their own internet and in this case there most likely will be other, not anonimized, clear traffic (since they will be using it not only for suspicious things but also for regular, āconscientious useā). But those of them who prefer to be maximum protected are either using not ISP USB modems with āanonimous simcardsā (bought not on their personal data, but bought from the sellers of the black market). Some others (more skilled) may hack some random peopleās home Wi-Fis from neighboring residential, apartment buildings or even from other quarters, using so called āWi-Fi cannonsā (not sure that in English they also are called like that). As you can understand, those from last two groups are worring less about clearnet traffic absence. Especially third group.
P.S. All described above is not just my assumptions. I know for sure that people do this.